NTP over several firewalls

["nebula" <nebula () punkass com>]

Hi all,

[not sure if it came trough due to unthoughfull x-posting to two lists.
According to the moderator it did not get through, however, I did got it
via the lists. If you receive this message double, I apologize...]

I have a question that creates a continious discussion in our
organisation and I would like to hear your view on it.

We have a network looking like:

Internet --> firewall --> DMZ -- firewall2 --> backend --> firewall 3
--> internal network.

Each network is divided in several vlans. What I offer to do for NTP is
as follows:

Place a NTP server on the internal network, backend and dmz
Let synchronization goes as follows: dmz ntp server --> backend ntp
server --> internal ntp server. Let all hosts in a network sync with
their network ntp server. So DMZ hosts to DMZ ntp and so on. One
exception: Routers on the internet will sync to the DMZ NTP server too.

Now, one of my co-workers wants the hosts to sync their time with the
firewalls, so we do not need to deploy these servers (except for one
which will have the atom clock connected to it). Personally I find that
connections directed to the firewall should be limited to management of
authentication connections. How do you guys/girls see this?

regards



---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------